State Privacy Laws
Before HIPAA, no federal law governed the sharing of health information, and states created their own protections against the improper sharing of patient information. As a result, many states have enacted laws intended to protect the privacy and confidentiality of individually identifiable health information. Many of these laws were passed in the 1970s and 1980s, as concerns for health care privacy grew following the release of information about HIV, substance abuse or mental health treatment records of individuals.82 States created unique consent requirements for disclosure of information related to particular health conditions, such as mental illness, substance use disorder, HIV or other communicable diseases, as well as special populations, such as minors or victims of abuse. The laws vary widely from state to state and may apply to:
- The type of provider disclosing or receiving information;
- Type of institution sending or receiving information;
- When information can be disclosed;
- The amount of information being disclosed; or
- The type of information that can be shared, even with patient consent.83
The most common types of information that state privacy laws govern are discussed below.
Mental Health Information
Many states have laws and regulations for the sharing of mental health information. A 2016 legislative analysis of state laws on mental health treatment records found that in 15 states laws were more restrictive than HIPAA and four states had laws that were judged to be a combination of more and less restrictive than HIPAA.84 For example, many state mental health laws require patient permission for every exchange of data, and prohibit re-disclosure, meaning that even if a patient gives his or her consent to a provider to view the information, the further sharing of information with another provider or entity is not allowed without the patient’s permission.
A majority of states have laws related to the disclosure of patient information regarding HIV status.85 These laws typically apply to anyone who may encounter or obtain information that would reveal the HIV status of a patient, including providers, hospitals and clinics. The definition of “protected information” can differ from state to state. In some states, protected information includes information about medications and treatment; in other states, protected information is limited to test results. For example, Pennsylvania has a law that requires a patient’s written consent for disclosure of any information that could refer to the patient’s confidential HIV-related information and requires the sender to include in the disclosure a specific written statement prohibiting the information’s further disclosure.86
Many states have laws that restrict access to genetic information without patient consent. Genetic information laws are intended to protect individuals against discrimination based on their genetic information from employers, health insurance companies or other entities. Similar to HIPAA, the federal Genetic Information Nondiscrimination Act of 2008 does not override state laws that may be more protective. Most state laws governing genetic information require written consent before disclosure to another entity, including providers and insurers.87 For example, New York has a law that states that “all records, findings, and results of any genetic test are confidential and may only be disclosed with written authorization from the individual.”88
Information About Minors
Under HIPAA, minors who are not emancipated from their parent or guardian require parental consent for treatment and disclosure of health records. HIPAA defines a “minor” as someone under 18 years of age; the minor’s parent, guardian or person acting in loco parentis (as a parent) must consent to their treatment and can access his or her health information and make disclosure decisions. HIPAA allows for exceptions based on state law, however.89 Many states have laws that allow minors under 18 years of age to consent to certain types of treatment and simultaneously gives minors full power over disclosure of related health information, including to their parent or guardian. Minor consent laws are intended to encourage minors to seek treatment for conditions that they may be otherwise reluctant to disclose to parents or guardians and typically pertain to sensitive categories of health information such as sexually transmitted diseases, reproductive health or substance abuse. For example, in California, minors as young as 12 years of age can consent to treatment for mental health, substance abuse or reproductive health care and thus can choose whether to disclose information related to that treatment.90 Given this dynamic, electronic sharing of a minor’s information can be challenging because of the difficulty of creating data systems able to share only particular aspects of a health record based on patient age and consent status.
All Health Information
Many states have laws related to disclosure of health information for specific populations or conditions, but a few states require consent for information sharing for treatment, payment and health care operations.91 Both New York and Minnesota require that providers obtain patient consent before sharing any patient’s health information except in the case of emergencies.92 The law in Minnesota states that:
“A provider, or a person who receives health records from a provider, may not release a patient’s health records to a person without: a signed and dated consent from the patient or the patient’s legally authorized representative authorizing the release; specific authorization in law; or a representation from a provider that holds a signed and dated consent from the patient authorizing the release.”93